[herbst]

FYI in ops security model they likely used bridges, which are not on a public list as the other nodes.

That said, I am no specialist however, I am pretty sure pattern matching does not really work reliably.

The most common attack to de-anonymize tor users in the recent years is getting control of their server and than match incoming traffic with outgoing traffic from their country and basically catch them logged in. However as you can tell this needs international cooperation and a bit of work.